Slide 1

Slide 1 text

SSL All The Things Using SSL in Python Markus Holtermann • @m_holtermann • KiwiPyCon 2016

Slide 2

Slide 2 text

Markus Holtermann Senior Software Engineer at LaterPay Django Core Developer @m_holtermann • github.com/MarkusH • markusholtermann.eu

Slide 3

Slide 3 text

EASY MICROPAYMENTS FOR YOUR FAVORITE CONTENT USE NOW, PAY LATER. @laterpay • github.com/laterpay • laterpay.net W e are hiring

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

Disclaimer

Slide 6

Slide 6 text

What is SSL / TLS?

Slide 7

Slide 7 text

What is Let’s Encrypt ?

Slide 8

Slide 8 text

Trust Store Intermediate CA 1 Intermediate CA 2 Root CA 1 Root CA 2 Intermediate CA 3 Certs Certs Certs Root CA 3

Slide 9

Slide 9 text

What is Let’s Encrypt ?

Slide 10

Slide 10 text

The ACME Process Account Key Certificate Key Certificate Signing Request

Slide 11

Slide 11 text

The ACME Process new-authz Challenges Certificate Signing Request new-cert Certificate Retrieve Certificate Write Challenges Check challenge new-reg Public Account Key Account Key Certificate Key Certificate Signing Request

Slide 12

Slide 12 text

How to use Let’s Encrypt ?

Slide 13

Slide 13 text

host { listen [::]:80; server_name example.com; location /.well-known/acme-challenge/ { alias /srv/http/acme-challenges/; try_files $uri =404; } location / { try_files $uri =404; } } Webserver config for Challenges

Slide 14

Slide 14 text

python3 /etc/acme-tiny/acme-tiny.py \ --account-key "/etc/acme-tiny/account.key" \ --csr "/etc/acme-tiny/example.com.csr" \ --acme-dir "/srv/www/acme-challenges" \ --output "/etc/nginx/ssl/example.com.crt" \ --combine "https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem" Using Let’s Encrypt

Slide 15

Slide 15 text

How to use SSL in Python Client

Slide 16

Slide 16 text

import socket, ssl HOST, PORT = 'example.com', 443 def handle(conn): conn.write(b'GET / HTTP/1.1\n') print(conn.recv().decode()) def main(): sock = socket.socket(socket.AF_INET) context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH) context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 # optional conn = context.wrap_socket(sock, server_hostname=HOST) try: conn.connect((HOST, PORT)) handle(conn) finally: conn.close() if __name__ == '__main__': main()

Slide 17

Slide 17 text

How to use SSL in Python Server

Slide 18

Slide 18 text

import socket, ssl HOST, PORT, CERT = 'example.com', 443, '/path/to/example.com.pem' def handle(conn): print(conn.recv()) conn.write(b'HTTP/1.1 200 OK\n\n%s' % conn.getpeername()[0].encode()) def main(): sock = socket.socket() sock.bind((HOST, PORT)) sock.listen(5) context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) context.load_cert_chain(certfile=CERT) # 1. key, 2. cert, 3. intermediates context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 # optional context.set_ciphers('EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH') while True: conn = None ssock, addr = sock.accept() try: conn = context.wrap_socket(ssock, server_side=True) handle(conn) except ssl.SSLError as e: print(e) finally: if conn: conn.close() if __name__ == '__main__': main()

Slide 19

Slide 19 text

What I didn’t cover ... … but want to mention

Slide 20

Slide 20 text

Certificate Revocation

Slide 21

Slide 21 text

Changing the Account Key

Slide 22

Slide 22 text

HSTS / HPKP HTTP Strict Transport Security HTTP Public Key Pinning

Slide 23

Slide 23 text

Usage for other services

Slide 24

Slide 24 text

Things that could go wrong An incomplete list

Slide 25

Slide 25 text

HSTS / HPKP

Slide 26

Slide 26 text

Leaked Keys

Slide 27

Slide 27 text

Resource Usage

Slide 28

Slide 28 text

Sources ● https://cipherli.st/ ● https://www.ssllabs.com/ssltest/index.html ● https://hynek.me/talks/tls/ ● https://ssldecoder.org/ ● https://github.com/ietf-wg-acme/acme/blob/bf34c2a/draft-ietf-acme-acme.md ● https://security.googleblog.com/2016/07/experimenting-with-post-quantum.html ● https://gist.github.com/MarkusH/2c8818096103c118657eb42e3b1e4563

Slide 29

Slide 29 text

Thanks @m_holtermann • github.com/MarkusH • markusholtermann.eu • laterpay.net Questions?